The Auth0-React SDK seems to simplify what is the fairly complicated process of setting up OAuth inside a React application.
The tutorials that exist show how to setup the React side, but following this tutorial it links to various backend quick starts, of which Express is one.
However, there is nothing specifically for Lambda or other serverless approaches.
What is the intended use case here? Am I meant to setup a custom authorizer (like shown here) and have the React app target Lambdas that I attach to it? My understanding is the React-SDK will attach an Authorization header to each API request that the custom authorizer will verify.
But then what about refresh tokens? Silent token requests? How does the rest of the authorization code auth flow integrate into my serverless setup?
Still wondering if anyone can help on this. I have progressed without using Auth0 and instead using my own Lambda authorization but this is only for a small project. I have a larger project in the pipeline and Auth0 looks attractive if I can get some of these issues ironed out.
The React app will function the same, regardless of it consuming APIs that are hosted in a serverless environment.
Your react app will request tokens from Auth0 intended for your API (serverless functions), will then send those tokens in a header along with a request, and your API will verify the tokens and either fulfill or deny the request depending on the validity of the token, scopes, permissions, etc.
This is largely the same as a more traditional non-serverless scenario.
This doc shows how to call an API with the token from your react app.
Many thanks for getting back to me on this thread; I thought it was dead but I am still mulling this over so I appreciate your input!
From what you’ve said, I understand that - in an AWS environment - I would use a custom authorizer to intercept the Authorization header that was generated by Auth0 and then validate it in some way. My understanding of all this has increased since I made this thread so I think I can manage that.
My other issue was refresh tokens - nobody wants to have to sign in again after an hour. From the article you have linked it says the SDK basically handles that for us:
The getAccessTokenSilently() method can renew the access and ID token for you using refresh tokens. To get a refresh token when a user logs in, pass useRefreshTokens={true} as a prop to Auth0Provider .
…which is great if so - it sounds deceptively easy
The SDK does most of the heavy lifting, the code exchanges, refresh token rotation or cookies for silent requests, etc. There isn’t much you should have to configure. I would recommend looking at our react quickstart if you want to see a sample app with best practices.